Put simply, code signing certificates must be used to ensure code is secure and not tampered with, prevent malicious tampering and protect end-users. Similarly, TLS/SSL certificates establish an encrypted connection between a browser or user’s computer and a server or website and again are put in place to protect end-users. In saying this, they are not the same thing and cannot be used interchangeably.
What is a code signing certificate?
In more detail, code signing certificates are used to authenticate the software developer or publisher of the software and to ensure that the software has not been altered or compromised. Developers can use code signing certificates to digitally sign everything from applications and drivers, to executables and software programs; and by doing so, ensures that the software end-users’ receive has not been compromised by a third party. Codesigning certificates permit developers to add a digital signature, your company’s name and, if desired, a timestamp.
What is a TLS/SSL certificate?
SSL (secure sockets layer) is the standard technology for securing an internet connection by encrypting data sent between a website and a browser (or between two servers). SSL certificates prevent hackers from seeing or stealing any information transferred, including personal or financial data.
On the other hand, TLS (transport layer security) is an updated, more secure version of SSL. Sometimes, people refer to security certificates as SSL because it’s a more commonly used term, however for DigiCert specifically, you get the most trusted, up-to-date TLS certificates.
So, what is the difference?
While code signing certificates are used to encrypt software, TLS certificates are used to encrypt connections on a website. If you don’t use these certificates, end-users will get warning messages that could prevent them from using your site. For example, if a user tries to download software that is not signed using a code signing certificate, then it will be flagged by the user’s browser or operating system, and a warning message will pop up. Similarly, if a user visits a website without a TLS certificate, the browser will display a “not secure” message next to the URL, and users will likely be deterred from using the site.
Does my organisation need a code signing certificate?
In short, yes! You need a code signing certificate when deploying software and updates to protect your intellectual property, protect end-users, and meet industry and platform requirements. By allowing customers to verify that your code is authentic and has not been tampered with since it was signed, both you and your customers are protected against nasties such as fraud, malware and theft.
Your customers expect a smooth and professional installation process when they download your software, and digitally signed applications can help this by avoiding warning messages during download and installation processes. Not to mention, the partners, channels and platforms that distribute software expect you to safeguard their customers and the customers’ private data and information and will require or expect code signing best practices.
What are my options?
DigiCert offers both code signing and EV code signing certificates. Code signing certificates offer the ability to provide encrypted digital signatures, while Extended Validation (EV) code signing certificates include all the standard benefits of digitally signed code plus a rigorous vetting process and two-factor authentication security requirement, so your users can have even greater confidence in the integrity of your applications. Plus, for Microsoft Defender SmartScreen Reputation filter, an EV code signing certificate gains you automatic trusted status to reduce warning messages and most importantly, increase end-user trust.
How do I manage my code signing certificates?
If not managed properly, code signing can put your business at great risk. In fact, studies show that over half of IT security professionals are worried about cybercriminals stealing or forging certificates to sign code or applications, yet less than a third consistently enforce code signing policies.
So, whilst daunting at first, code signing certificates don’t have to be a momentous task – instead, if understood properly, it can contribute to the long-term success, safety and user confidence relating to your organisation’s intellectual property. Most importantly, however, with your software safeguarded, and downloads streamlined, it’s peace of mind for you too!
About the author
Dave Roche is the Senior Product Manager at DigiCert, where he works closely with customers to understand the signing and key management problems they face in their day-to-day devops and CI/CD environments. Dave oversees the company’s enterprise codesigning solution Secure Software Manager which provides secure code, app and container signing workflows incorporating support for key generation and management as well as capturing all signing related activity audit logs. Dave joined DigiCert as part of the Symantec Website Security acquisition and has more than 10 years PKI experience.